Solved: Re: How to pipe REX sequence related to host netwo...

null0 · ‎06-22-2018

Hello,
this threat to find a solution to this problem: i have many network as

(host=10.29.4.*)

not /24 but subnetted with

|rex field=host "10.29.4.(?\d{1,3})" | where range>=48 AND range<=63 ->/27

so.. how to concatenate, eg.:

(host=10.29.4.*) OR (host=10.29.10.*)
|rex field=host  "10\.29\.4\.(?<range>\d{1,3})" | where range>=48 AND range<=63
|rex field=host  "10\.29\.10\.(?<range>\d{1,3})" | where range>=0 AND range<=63

Many thanks

kmorris_splunk · ‎06-22-2018

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)

View solution in original post

kmorris_splunk · ‎06-22-2018

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)

kmorris_splunk · ‎06-22-2018

Are you trying to get the field range to be a combined list of IPs from both rex statements?

kmorris_splunk · ‎06-22-2018

I meant to say a list of all of the range values, not IPs.

null0 · ‎06-22-2018

i think it's hard because "range" value is a kind of consequence of network-fields that comes before (eg: 10.29.10.xxxx)

i'm not really skilled, sorry 😉

null0 · ‎06-22-2018

hi kmorris, nope, no combined list in field range.
i sincerly dont know how to do it.. do you have any hint?

bear i mind that i've totally 23 |rex filters related to as many networks

How to pipe REX sequence related to host network?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life